Paytm stops ‘root access’ on Android phones

BENGALURU: After it was flagged by a French security researcher, payments player Paytm has fixed what is being seen as one of the most sensitive access controls it was asking from its users on Android phones. The security researcher, who goes by the name of Elliot Alderson on Twitter, told TOI that Paytm in a new update on its app has stopped seeking ‘root access’ from users after he highlighted the issue with the company. Earlier, if a user allowed the app root access, Paytm would virtually have complete control over the device.

TOI has reviewed direct messages on Twitter between Paytm’s security team and Alderson with the former confirming it is no longer asking for root access.

Alderson said root access is essentially one of the most significant entry points for any Android device which can manipulate the operating system of the phone. It can access other app information, chat details, among many other things on the device. This is not an Android permission like having access to text messages and a user’s phone book. Unless totally savvy with technology, allowing root access is not advised by tech experts. Alderson’s Twitter handle is @fs0c131y.

Paytm has maintained it was seeking root access due to requirements laid out by the payments umbrella body, NPCI which mandates checking if a device is rooted. “We are still checking if a device is rooted or not but the method has changed with a different coding. While the earlier method was foolproof, the latest one means to check if a device is rooted or not with a success rate of about 70-80%,” a Paytm spokesperson said without divulging details. “The fix does not require a new app on the Google Play Store. The engineering team pushed a config (configuration) change….,” part of the message by Paytm to Alderson read.

Alderson said root access goes beyond standard permissions sought by various apps which is why it is contentious. However, it does not necessarily mean one would misuse the access. “This (root access) is the Holy Grail. You can do whatever you want with that-—steal data from other apps, read private conversations,,” he told TOI, explaining the possible implications of getting root access. Alderson, in the recent past, has raised security issues on Aadhaar, BSNL among others, showing availability of sensitive data that can be accessed leveraging technology when the security layers aren’t adequate.